Moves logic for determining provider class from action_init to set_pr…

…ovider, to avoid undesired session_start
pantheon-systems · May 26, 2020 · d2bcf8e · d2bcf8e
1 parent bd06228
commit d2bcf8e
Showing 1 changed file with 26 additions and 15 deletions.
diff --git a/inc/class-wp-saml-auth.php b/inc/class-wp-saml-auth.php
@@ -61,14 +61,18 @@ public static function get_option( $option_name ) {
 	 * @return mixed
 	 */
 	public function get_provider() {
+		if ( is_null( $this->provider ) ) {
+			$this->set_provider();
+		}
 		return $this->provider;
 	}
 
 	/**
-	 * Initialize the controller logic on the 'init' hook
+	 * Determines the provider class to use and loads an instance of it, stores it to ->provider
+	 * @return void
 	 */
-	public function action_init() {
-
+	protected function set_provider()
+	{
 		$connection_type = self::get_option( 'connection_type' );
 		if ( 'internal' === $connection_type ) {
 			if ( file_exists( WP_SAML_AUTH_AUTOLOADER ) ) {
@@ -114,6 +118,12 @@ function() {
 			}
 			$this->provider = new $this->simplesamlphp_class( self::get_option( 'auth_source' ) );
 		}
+	}
+
+	/**
+	 * Initialize the controller logic on the 'init' hook
+	 */
+	public function action_init() {
 		add_action( 'login_head', array( $this, 'action_login_head' ) );
 		add_action( 'login_message', array( $this, 'action_login_message' ) );
 		add_action( 'wp_logout', array( $this, 'action_wp_logout' ) );
@@ -184,13 +194,14 @@ public function action_login_message( $message ) {
 	 * Log the user out of the SAML instance when they log out of WordPress
 	 */
 	public function action_wp_logout() {
+		$provider = $this->get_provider();
 		if ( 'internal' === self::get_option( 'connection_type' ) ) {
 			$internal_config = self::get_option( 'internal_config' );
 			if ( empty( $internal_config['idp']['singleLogoutService']['url'] ) ) {
 				return;
 			}
 		}
-		$this->provider->logout( add_query_arg( 'loggedout', true, wp_login_url() ) );
+		$provider->logout( add_query_arg( 'loggedout', true, wp_login_url() ) );
 	}
 
 	/**
@@ -235,15 +246,15 @@ public function filter_authenticate( $user, $username, $password ) {
 	 * Do the SAML authentication dance
 	 */
 	public function do_saml_authentication() {
-
-		if ( is_a( $this->provider, 'OneLogin\Saml2\Auth' ) ) {
+		$provider = $this->get_provider();
+		if ( is_a( $provider, 'OneLogin\Saml2\Auth' ) ) {
 			if ( ! empty( $_POST['SAMLResponse'] ) ) {
-				$this->provider->processResponse();
-				if ( ! $this->provider->isAuthenticated() ) {
+				$provider->processResponse();
+				if ( ! $provider->isAuthenticated() ) {
 					// Translators: Includes error reason from OneLogin.
-					return new WP_Error( 'wp_saml_auth_unauthenticated', sprintf( __( 'User is not authenticated with SAML IdP. Reason: %s', 'wp-saml-auth' ), $this->provider->getLastErrorReason() ) );
+					return new WP_Error( 'wp_saml_auth_unauthenticated', sprintf( __( 'User is not authenticated with SAML IdP. Reason: %s', 'wp-saml-auth' ), $provider->getLastErrorReason() ) );
 				}
-				$attributes      = $this->provider->getAttributes();
+				$attributes      = $provider->getAttributes();
 				$redirect_to     = filter_input( INPUT_POST, 'RelayState', FILTER_SANITIZE_URL );
 				$permit_wp_login = self::get_option( 'permit_wp_login' );
 				if ( $redirect_to ) {
@@ -264,9 +275,9 @@ function() use ( $redirect_to ) {
 			} else {
 				$redirect_to = filter_input( INPUT_GET, 'redirect_to', FILTER_SANITIZE_URL );
 				$redirect_to = $redirect_to ? $redirect_to : $_SERVER['REQUEST_URI'];
-				$this->provider->login( $redirect_to );
+				$provider->login( $redirect_to );
 			}
-		} elseif ( is_a( $this->provider, $this->simplesamlphp_class ) ) {
+		} elseif ( is_a( $provider, $this->simplesamlphp_class ) ) {
 			$redirect_to = filter_input( INPUT_GET, 'redirect_to', FILTER_SANITIZE_URL );
 			if ( $redirect_to ) {
 				$redirect_to = add_query_arg(
@@ -287,12 +298,12 @@ function() use ( $redirect_to ) {
 					$redirect_to = add_query_arg( array( 'action' => 'wp-saml-auth' ), $redirect_to );
 				}
 			}
-			$this->provider->requireAuth(
+			$provider->requireAuth(
 				array(
 					'ReturnTo' => $redirect_to,
 				)
 			);
-			$attributes = $this->provider->getAttributes();
+			$attributes = $provider->getAttributes();
 		} else {
 			return new WP_Error( 'wp_saml_auth_invalid_provider', __( 'Invalid provider specified for SAML authentication', 'wp-saml-auth' ) );
 		}
@@ -303,7 +314,7 @@ function() use ( $redirect_to ) {
 		 * @param array  $attributes All attributes received from the SAML response.
 		 * @param object $provider   Provider instance currently in use.
 		 */
-		$attributes = apply_filters( 'wp_saml_auth_attributes', $attributes, $this->provider );
+		$attributes = apply_filters( 'wp_saml_auth_attributes', $attributes, $provider );
 
 		/**
 		 * Runs before the SAML authentication dance proceeds